Maldoc Analysis
Last modified: 2023-08-06
Malicious Documents (.doc) are Microsoft documents contain malicious execution code.
Static Analysis
Extract Files in Doc
unzip example.doc
Find Interesting Information
strings example.doc
exiftool example.doc
binwalk -e example.doc
Additionally, we can use CyberChef. Follow this steps:
- Open CyberChef
- Upload the suspicious doc file on CyberChef.
- Use the "Strings" function to extract strings.
- If you found obfuscated strings in the results, add the "Find / Replace" function to remove extra strings.
- If necessary, add the "Drop bytes" function to remove extra bytes.
Dump Macros
If you don’t have oletools, install it first.
# Install `oletools` module
python -m ven venv
source venv/bin/activate
pip install oletools
To dump macros, run the following command.
olevba -c example.doc